Automic Workload Automation

Expand all | Collapse all

Error code 5 : Access denied, CreateProcessAsUser

Jump to Best Answer
  • 1.  Error code 5 : Access denied, CreateProcessAsUser

    Posted 06-18-2018 07:41 AM

    Agent Version: version '12.0.3+build.791'

    Windows 2016 server.

    I am getting the following in the Agent log on Windows 2016:

     

    20180618/132637.350 - U02001040 Error in function 'CreateProcessAsUser', error code '5', error description: 'Access is denied.'.
    20180618/132637.366 - U02001000 Job 'MSSQL_T03_TEST' could not be started. Error code '5', error description: 'Access is denied.'.

     

    I have granted the following to the user/group concerned:

    1) Logon as batch job
    2) Act as part of operation system
    3) Create a token object
    4) Replace a process level token

     

    The same user/group works on Windows 2012 Server.

     

    Firewall is disabled for tests

     

    Anybody in the same situation?

     

    Thanks,

    Ray FOX



  • 2.  Re: Error code 5 : Access denied, CreateProcessAsUser

    Posted 06-19-2018 03:28 AM

    Is UAC enabled? Does turning it off make any difference?



  • 3.  Re: Error code 5 : Access denied, CreateProcessAsUser

    Posted 06-19-2018 04:01 AM

    Hi

     

    did you grant ALL of the privileges to the user - mentioned here:

    Automic 

     

    cheers, Wolfgang



  • 4.  Re: Error code 5 : Access denied, CreateProcessAsUser
    Best Answer

    Posted 06-19-2018 04:14 AM

    Thanks for your suggestions Wolfgang and Chandru.

     

    I have found that McAfee Endpoint Security is the culprit. There are errors in the Windows Event Viewer as follows:

     

    EventID=18060 NT AUTHORITY\SYSTEM ran UCXJWX6.EXE, which tried to access C:\AUTOMIC\AGENTS\WINDOWS\TEMP, violating the rule "Suspicious Double File Extension Execution", and was blocked. For information about how to respond to this event, see KB85494.

     

    I disabled McAfee Endpoint Security and executed the job - it worked.

     

    Ray



  • 5.  Re: Error code 5 : Access denied, CreateProcessAsUser

    Posted 06-19-2018 04:21 AM

    Great!

     

    THX for the info!

     

    cheers, Wolfgang



  • 6.  Re: Error code 5 : Access denied, CreateProcessAsUser

    Posted 07-12-2018 06:52 AM

    Hi,

     

    The same situation we have experienced.We disabled McAfee Endpoint Security on server and solved.

     

    Olgun.



  • 7.  Re: Error code 5 : Access denied, CreateProcessAsUser

    Posted 07-18-2018 06:49 AM

    Hi all,

    We have seen this error for the first time today.

    It is on a couple of new Windows2016 servers.

     

    Likewise, we see this error in the log...

     

    EventID=18060

     

    NT AUTHORITY\SYSTEM ran UCXJWX6.EXE, which tried to access C:\AUTOMIC\AGENTS\WINDOWS\TEMP, violating the rule "Suspicious Double File Extension Execution", and was blocked. For information about how to respond to this event, see KB85494.

     

    I don't really want to have to Disable McAfee Endpoint Security on all new Windows servers.

     

    Any other option?

     

    John.

     



  • 8.  Re: Error code 5 : Access denied, CreateProcessAsUser

    Posted 07-18-2018 07:58 PM

    Endpoint Security Natural Language String event messaging index 

     

    Determine whether the behavior was expected:

    • If expected, you must either:
      • Accept/ignore the data
      • Create an exclusion for the specified rule to exclude the process that is violating the rule
    • If not expected, investigate the behavior further because either:
      • The behavior is occurring because of malware that has infiltrated the process
      • The behavior is normal and needs to be reclassified as expected behavior, in which case you would see the previous bullet for expected behavior


  • 9.  Re: Error code 5 : Access denied, CreateProcessAsUser

    Posted 10-11-2018 07:36 AM

    Hi John,

    the problem McAffee has is the double extensions of the Job-Files in the temp directory (J******.TXT.BAT)
    It should be possible to exclude only the double extension check for the servers with Automic Windows Agents.

    Cheers, Philipp